- Package:
- src:xmedcon
- Source:
- src:xmedcon
- Submitter:
- Moritz Mühlenhoff
- Date:
- 2025-03-27 21:51:03 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for xmedcon. CVE-2025-2581[0]: | A vulnerability has been found in xmedcon 0.25.0 and classified as | problematic. Affected by this vulnerability is the function malloc | of the component DICOM File Handler. The manipulation leads to | integer underflow. The attack can be launched remotely. Upgrading to | version 0.25.1 is able to address this issue. It is recommended to | upgrade the affected component. https://xmedcon.sourceforge.io/Main/New https://sourceforge.net/p/xmedcon/code/ci/e7a88836fc2277f8ab777f3ef24f917d08415559/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-2581 https://www.cve.org/CVERecord?id=CVE-2025-2581 Please adjust the affected versions in the BTS as needed.
Control: tags -1 + fixed-upstream pending bookworm bullseye Control: found -1 0.23.0-gtk3+dfsg-1+deb12u1 Control: found -1 0.16.3+dfsg-1+deb11u1 Greetings, I am working on updating xmedcon in sid, which should resolve the problem for the upcoming trixie. I identified the patch needed a slight porting effort to bookworm, but applies then seamlessly on bullseye. I plan to liaise with the release team once done with the sid update and making sure there are no obvious issues with patch ported to xmedcon 0.23.0. I don't really have plans to work on bullseye port, but the patch is in attachment in case someone from the LTS team wants to take over. Have a nice day, :)
Hi again, Étienne Mollier, on 2025-03-22: I resend the patch for bookworm, and possibly bullseye, now with DEP3 header and no ftbfs in bookworm. Have a nice day, :)
We believe that the bug you reported is fixed in the latest version of
xmedcon, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1100986@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Étienne Mollier <emollier@debian.org> (supplier of updated xmedcon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 22 Mar 2025 19:09:24 +0100
Source: xmedcon
Architecture: source
Version: 0.25.1-gtk3+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Changed-By: Étienne Mollier <emollier@debian.org>
Closes: 1100986
Changes:
xmedcon (0.25.1-gtk3+dfsg-1) unstable; urgency=medium
.
* New upstream version 0.25.1-gtk3+dfsg fixes CVE-2025-2581.
(Closes: #1100986)
* typos.patch: refresh patch.
* gcc-15.patch: remove: applied upstream.
* d/copyright: fix l/t/ecat7w.c and s/m-qmedian.c terms.
Checksums-Sha1:
1907ff3cf7552a8d533d795a51875598824841e6 2488 xmedcon_0.25.1-gtk3+dfsg-1.dsc
ae998d52459e6d5111a163e6b9afef6cf3d1623a 445376 xmedcon_0.25.1-gtk3+dfsg.orig.tar.xz
b65ab7b1c8c9f78caa9f274327e912f339edf455 13692 xmedcon_0.25.1-gtk3+dfsg-1.debian.tar.xz
Checksums-Sha256:
eb034adeffef6e1df7272793cb05d89cea6790b01c448eac072365509f2bc6ca 2488 xmedcon_0.25.1-gtk3+dfsg-1.dsc
96b3402037209b8c59394fc1d107739222a8ea3861fdf97cf17d9b557421911a 445376 xmedcon_0.25.1-gtk3+dfsg.orig.tar.xz
f53b744b23341c2ce8782077c91eb2e0f74422284fce7137ac474b328e851bb8 13692 xmedcon_0.25.1-gtk3+dfsg-1.debian.tar.xz
Files:
44d474f7be42dc450f7b9bced46ad66e 2488 graphics optional xmedcon_0.25.1-gtk3+dfsg-1.dsc
8a7f380d21a9acbc378c8ca13b8c540f 445376 graphics optional xmedcon_0.25.1-gtk3+dfsg.orig.tar.xz
d4d162967f64db4e40c9289f59985584 13692 graphics optional xmedcon_0.25.1-gtk3+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmffBSwUHGVtb2xsaWVy
QGRlYmlhbi5vcmcACgkQeTz2fo8NEdqlHxAAq68ASoMTNnrFKXWcP6+O/bu+VgeT
JaE9eUWX6TLxIOqbT2/S+zbaCmgv3al9tNPP4o+gbJChnOpMmdGwaBmVehpWLnrI
gDf1G7GzzWpQrBqXnAEpd1EP4zi3L8/S/+vF0IAj+kM540696SI6324a+uwPkOPA
F8jjmsQc5hRX7FwUozEe/sh+ximLC+J6uvijaeyHs9osdfmNBabos5u4decaNGx1
LoFnQxz+j/KFSw2obuv8vvXZ8bR9mXfbmQIFslyF2CugBLHnmYQDTSlWDfTu1h19
YWiOPxensaNNrACb/9ytgMyL8AsRgYZg53YYz+M2RzfO4kY3mlFRYMKRdKjtnFDC
B+xhGu2JQGS0JLO7+sOZyP1mOgnC6P5TepFHYuJ3u0/4ILy66olv+Fx46LjPHHQP
+m4XZWAKdu0kK9yeFVwmQ4RJkULVQ9BerD/B2aD4Z/AqiCKpkyBvg4eWZdpX9TX+
cgOf6gHI8Cy8F9onolhjbADp2E3NAS77uZRVN+n331px2prnJapN9YtvisPpq8x5
BRaPKntnggfkSZsuDgCBbi4vjr1bxmhnbbrlNpknFa/YxSyz/EbwpObmoESQ/x7V
PLrY7S/RWRlrNskUm7Zi0D3dpwhxac2jMbq3Jt9M2KWCqST97vIJiSOJUEbmm21G
+ktWPK9hhwBn4vs=
=t6ZW
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of xmedcon, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1100986@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Étienne Mollier <emollier@debian.org> (supplier of updated xmedcon package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Sat, 22 Mar 2025 19:58:34 +0100 Source: xmedcon Architecture: source Version: 0.23.0-gtk3+dfsg-1+deb12u2 Distribution: bookworm Urgency: medium Maintainer: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org> Changed-By: Étienne Mollier <emollier@debian.org> Closes: 1100986 Changes: xmedcon (0.23.0-gtk3+dfsg-1+deb12u2) bookworm; urgency=medium . * Team upload. * CVE-2025-2581.patch: new: fix CVE-2025-2581. (Closes: #1100986) Checksums-Sha1: e1e6626a776f1bb1211d7a43b6233da3cd857a0a 2449 xmedcon_0.23.0-gtk3+dfsg-1+deb12u2.dsc 63d2cde7bb5732f4b3acc5bc59275ea3f476f3fe 14076 xmedcon_0.23.0-gtk3+dfsg-1+deb12u2.debian.tar.xz Checksums-Sha256: 82b9676e6553fbac0b0424a1b35171a2351084e87d3f8650bf81e178c1c85d3c 2449 xmedcon_0.23.0-gtk3+dfsg-1+deb12u2.dsc 9efbdf9b2a2d35ff4f5fe49542a130a4e7cbbf503459514c98c11ef8388a0bed 14076 xmedcon_0.23.0-gtk3+dfsg-1+deb12u2.debian.tar.xz Files: 21a0d1ecad3ab30f48d8f8a951ce9007 2449 graphics optional xmedcon_0.23.0-gtk3+dfsg-1+deb12u2.dsc 5cc13b884ea71da5970d26416faa25c3 14076 graphics optional xmedcon_0.23.0-gtk3+dfsg-1+deb12u2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmflrw4UHGVtb2xsaWVy QGRlYmlhbi5vcmcACgkQeTz2fo8NEdoL2BAArvYPVmbyK0Ry2ji8eMgUpqwf4x8q BFioeP5n+Yptc9kcett/+PVBOAmR10EKP3SgPt5kb+HzKfRJAo759KsBD5C90h9I dK+J+Y0rVHGgUN/GdDcgWQjwirJQDw0h34WtGRV+NG+eILbed1LIZoOwt7Ht/0mw dblMkjSRB7wzCu22VHthltHCNTWdCzH0kZJSpKZ34crETtHXxOGItfeiH78QgYZr bzh1EuVVltaIjbrngVIq23N7VO/Q7bgtstx2xpFq2jNhgD5maNzFrUZyp8yHJxZ5 z5Ydx0zwpGVo0iQQSTNY2c+2avDDBaPhlWLHVpzFezzkhfLPyOPDsmZ2PKdIRm71 1QkmLoqLTSRtfGQSlXnqY+G2EhDrUBPdrVE3kX0cjk+Ke3/XqW4ceYFc7E1JbAuD cfZ2Oe3Q+VG6tz5mUAqgitcLphL0hS6ySyG+gnRoZXVGSHA154rF2Rgr7ys0MTho A4jYIgVXLg6TvZykA3HiEKR/HEy3rfNDawqy+XIZZf3FYhgObz8pcTbcd13RYPdd LgIsNBc9zZvBn4WXm8FpOfjOnxKnHEUQYIleyaMM6vKFyyy8Iwx5n3Fk2ZVL9hKS InfqGfeZZ8V6cYNDWTC0fjPA66gePQ8UFEv9er5NpYbMnseMcpwhEcV+QVfjvVmi Qsd3KlxP52jhF9c= =VrXQ -----END PGP SIGNATURE-----